Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Setting up ACL for DMZ

Hello.

 

I have a SG300, with 3 networks on it.

A Server net (192.168.2.x - vlan 1) a DMZ (192.168.3.x - vlan 12 ) and a Guest net (192.168.4.x - vlan 10)

 

All this works fine, the computers / servers can reach each other - but they are not supposed to :)

 

When applying this access lists to the Server and DMZ vlan, then all connections goes down.

 

Server:

ip access-list extended Server
permit ip any any

 

 

The server net need full access to the other networks.

 

 

DMZ:

 

ip access-list extended DMZ
permit udp any any 192.168.2.9 0.0.0.0 domain
permit udp any any 192.168.2.10 0.0.0.0 domain
permit tcp any any 192.168.2.15 0.0.0.0 445
permit tcp any any 192.168.2.15 0.0.0.0 137-139
permit udp any any 192.168.2.15 0.0.0.0 137-139
permit tcp any any 192.168.2.19 0.0.0.0 8530

 

 

When trying from a FTP server (192.168.3.10) to telnet to 192.168.2.19 on port 8530 (WSUS), then its not working.

But when removing the ACL from the VLAN, then it works perfectly :(

 

At VLAN 12, im using this command:

service-acl input DMZ default-action permit-any

 

What am i doing wrong?

 

Everyone's tags (3)
144
Views
0
Helpful
0
Replies